Documents created under the Shared Assessments Program may be downloaded from the official Shared Assessments Program website at:
www.sharedassessments.org.
While retaining copyrights, the Shared Assessments Program makes specific documents available to members and purchasers for the purpose of conducting self-
assessments and third party control assessments. Licenses for other uses are available from Shared Assessments. Individuals and organizations should review the
terms of use prior to downloading, copying, using or modifying Shared Assessment Program documents.
This notice must be included on any copy of the Shared Assessments Program documents, excluding assessors’ or consultants’ reports.
The Shared Assessments Program is administered by The Santa Fe Group (www.santa-fe-group.com). Questions about this document and the program should be
P.6 Web Site Compliance ......................................................................................................................................................................................................................... 12
P.7 Management of Client-Scoped Privacy Data .................................................................................................................................................................................. 13
P.8 Data Protection, Privacy Incident Notification and Response Management .............................................................................................................................. 15
P.9 Third Party Privacy Agreements ...................................................................................................................................................................................................... 16
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 4 of 19
Introduction
This companion document to the SCA, the SCA Report Template, provides a standardized approach to collecting and reporting onsite control assessment results. The
template allows for a mechanism to track “compensating items” and is a tool for organizations that do not have a proprietary enterprise risk platform in place to
manage onsite assessments results and reporting. Alongside testing for the specific controls identified in the SCA, the SCA Report Template allows an assessor to
include any additional mitigating controls (and accompanying documentation) believed to be relevant to providing a sound control requirement. Of note for the 2018
Tool Release, is that the Agreed Upon Procedures (AUP) Tool has been renamed to the Standardized Control Assessment (SCA) procedures. This was done to
better communicate the function of the SCA and to align its name with the Standardized Information Gathering (SIG) questionnaire. In 2018, these two Shared
Assessments Program Tools have been even more tightly aligned and designed to be used together. The name change also will help eliminate possible confusion
with AICPA - “Agreed Upon Procedures” (AUP) - Attestation Engagements.
Note: Additional information regarding the SCA and SCA Report Template is available at www.sharedassessments.org.
Organizational Background
Scope
Scoping statement from the service provider to include company name, locations, systems, services, products, etc. to be included in this assessment. Determining
scope is a critical step in executing the SCA. Scope to be determined based on the general controls of the technology, systems and processes that are common to
any or all clients. Client specific contractual requirements should not be included in the scope of this assessment, as the SCA is designed to be distributed to any
client who requests it, similar to how a company would determine the controls to be tested in a SSAE16/18.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 6 of 19
P. Privacy
Domain Objective:
Organizations should establish and maintain a privacy program and management framework to control and manage the protection of client-scoped privacy data and
client confidential information, including any classification of non-public personal information or personal data of individuals. This should include the overall
management of client-scoped privacy data, and confidential information within the organization and with third parties. The privacy program should include: individuals
or organizational structures responsible for the creation, oversight and maintenance of the program; privacy data inventories and flows; privacy policies or procedures
that address notice, choice and consent for client-scoped data; the management of client scoped privacy data through its life cycle of collection, storage, usage,
processing, sharing, transferring, securing, retention and destruction; third party agreements for meeting their commitments under the organization’s business
requirements, applicable privacy laws, policies, processes, technologies, policy and industry leading practices; and applicable authorizations, monitoring, and
enforcement mechanisms that address inquiries, disputes, or complaints.
P.1 Privacy Program Management
Objective:
An organization should understand the scope of the client scoped privacy data inventory and flows to understand what privacy regulations are triggered based on data
classification. An organization should maintain an inventory of client-scoped privacy data that should, at a minimum, define client-scoped privacy data by data category
or data classification based on the data inventory, assign ownership for management of client-scoped privacy data and document the flow of client-scoped privacy
data throughout the data life cycle of collection, storage, usage processing, sharing, retention and retirement though the organization. The inventory and flows should
include all client-scoped privacy data that is provided to, or shared with, any of the organization’s affiliates, subcontractors or other third parties including any cross-
border data flows.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Confirm scope of specific privacy regulatory jurisdictions that are applicable to the client scoped
data and the services in scope for the assessment.
Obtain from the organization a copy of its client-scoped privacy data inventory, the inventory/data flow and
a copy of the privacy policy, data classification policy and procedures for jurisdictions determined to be in
scope.
Obtain from the organization a list of current third parties that access scoped privacy data, and randomly
select a sample of five from the third party list.
For the third parties identified in the above sample set, obtain from the organization, a copy of the privacy
data inventory, the inventory flow and a copy of the privacy policy, privacy notices, related approvals and
procedures for jurisdictions determined to be in scope.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 7 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
For the organization, and each third party in the sample chosen, inspect the privacy inventory flow
documents obtained above for evidence of the following attributes:
Security Classification for each data subject category
Privacy inventory and data flow for each jurisdiction or group of jurisdictions
Privacy inventory flow for sources/origin (including detailing from whom [entity], from where collected
[country]) and how collected [electronic, paper], specifically including countries with privacy laws that
transcend the borders of their country or region (e.g., EU/EEA, Canada, China, AR, AU, NZ, HK, JP and
other onward transfer requirements or cross border data access for privacy of scoped privacy data, such as
Privacy Shield, APEC or various seal programs).
Scoped privacy data owner and scoped privacy data controller, if applicable
Location (entity and country) for storage
Retention and destruction schedules
Purpose(s) for collection and use
List of who (role and location [entity and country]) uses scoped privacy data for what purposes
List of who (role and location [entity and country]) receives scoped data
Comments:
P.2 Privacy Organization & Program Maintenance
Objective:
An outsourcing organization should ensure that the service provider and its applicable third parties each have a designated privacy function responsibility assigned for
its privacy policy and privacy program as it relates to client-scoped privacy data. The privacy program should contain enforcement and monitoring procedures and a
change management procedure to remain current with privacy changes in business requirements, applicable privacy law, policy and industry best practices.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Using the sample of third parties from the list obtained in P.1 Privacy Program Management,
obtain from the organization and from the selected third parties (for outside parties seek this
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 9 of 19
P.3 Privacy Awareness
Objective:
An organization and its third parties should ensure recurring privacy awareness training occurs for their employees and contractors and that participation records are
maintained. This ensures employees and contractors are aware of key information privacy requirements and their obligations to maintain the privacy of client-scoped
privacy data.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Using the sample from the third party list obtained in P.1 Privacy Program Management, obtain
from the organization and the selected third parties, via the organization, a current list or
description of the employees and contractors who access the scoped privacy data; a description
of the privacy awareness training for the past year for these employees and contractors; and for
each sample item, the most recent physical or electronic record evidencing participation of the
applicable privacy awareness training.
For each item in the sample, inspect the privacy awareness training materials and participation records or
evidence (as appropriate) for the following attributes:
Confirmation in the participation record that the employee has received privacy awareness training within
the last year
Privacy information classification and control guidelines including rules for information collection, use,
transmission, retention and destruction
Information on legal, regulatory and contractual responsibilities for privacy
Employee and contractor comprehension testing of privacy awareness program
Information on consequences (including penalties) for violations of applicable privacy law, contractual
obligations or company policy
Information on email and Internet usage guidelines regarding privacy and monitoring
Onboarding privacy training for all employees
Records maintained that document participation in training to target metrics and dates
For each item in the sample, report as a finding:
The number of organization employees and contractors and the number of third parties’ employees and
contractors sampled
The number of organization employees and contractors and the number of third parties’ employees and
contractors sampled where evidence of privacy training is greater than the previous year’s where evidence
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 10 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
Comments:
P.4 Privacy Risk Assessments
Objective:
An organization should maintain a privacy risk assessment process that is in accordance with its legal, regulatory and contractual obligations to provide privacy
protection for client-scoped privacy data. It should demonstrate support for, and commitment to, identifying privacy risks and associated mitigation, including
management reporting. It should, where required, maintain procedures to assess privacy impact and embed privacy requirements based on changes in applicable
law, new systems, applications or devices.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Obtain the following records:
The most recent privacy risk assessments, remediation plans and changes implemented regarding privacy
during the past 12 months
The records that identify privacy risk and mitigation plans
Records of any privacy regulator findings
Court ruling(s) concerning scoped privacy data within the last 12 months
Inspect the records for evidence of the following attributes:
Changes to the privacy risk assessment for changes to the risk assessment documents based on due
diligence, review, compliance and enforcement procedures, onsite audits, security program audits during
the past 12 months
Management review and approval
Review to incorporate any privacy regulatory findings
Review to incorporate any court rulings concerning scoped privacy data within the last 12 months
Comments:
P.5 Privacy Notice, Choice & Consent
Objective:
An organization should provide management policy, direction and support for information privacy in accordance with its legal, regulatory and contractual obligations to
provide privacy protection for client-scoped privacy data. It should demonstrate support for, and commitment to, information privacy through the issuance, acceptance
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 11 of 19
and maintenance of internal privacy policies across the organization. It should, where required, communicate that commitment to data subjects or individuals via
external privacy notices and where applicable, gain their consent and seek their consent for certain uses of scoped privacy data (e.g., protected privacy data). It
should ensure that third parties’ privacy policies and privacy notices are consistent with the organization’s privacy policies and privacy notices. The privacy policies and
privacy notices should incorporate the key areas of privacy and should be reviewed at planned intervals (at least annually), or if significant changes occur, to ensure
continuing suitability, adequacy and effectiveness.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Obtain from the organization a copy of their Obtain from the organization a copy of their master
services agreement with the outsourcer and their most current vendor contract and
applicable privacy policy or procedures, and privacy notices. Using the sample of third parties
from the list obtained in P.1 Privacy Program Management, obtain a copy of their current contract
and supporting documents.
Inspect the privacy policies or procedures for a revision history and documentation that the policy has
been approved by management within the last 12 months
Report if the privacy policies contain a date of the last management approval and last periodic review. xx/xx/xx
Inspect the copies of the contract obtained, and identify contract limitations/restrictions regarding privacy.
Once identified, inspect the privacy policies and privacy notices (where applicable) for alignment with
those requirements.
Inspect the privacy notices for evidence of the following attributes
Direct reference to scope of applicable privacy jurisdiction or privacy domains based on industry
frameworks
Categories of personal information and scoped privacy data collected and the purposes (or restrictions) for
which this information is used
Categories of protected, scoped privacy data and requirements to protect this information
Categories of affiliates and other third parties to whom the organization discloses scoped privacy data
Notice of cross-border transfer or access of scoped privacy data (when applicable) with a requirement to
comply with applicable privacy laws on cross-border transfers
Security section that states the commitment to protect personal information and scoped privacy data
Data subject access and corrections section that informs the individuals on how to gain access to scoped
privacy data for review, correction and/or deletion
Data subject contact section for questions and complaints
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 12 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
Disclosure regarding the collection of personal information of children
Reference to the law of the jurisdiction, where data is transferred between jurisdictions
Changes to privacy notice (if any) including Effective date
Reference to any applicable data portability processes or procedures for data destruction upon individual
request
Web technology used (e.g. pixels, cookies, web beacons) including description(s), Explanation of how
these technologies are used, including an explanation of any choices the site user has over their use (e.g.,
opt-out mechanism for online behavioral advertising)
A “consent to the privacy notice” section, which varies from jurisdiction to jurisdiction
Choices regarding receipt of marketing/promotional communications
For the organization, and each third party in the sample chosen, report the attributes listed above that are
not present.
If the organization reports that certain attributes listed above are not applicable, report those attributes as
exceptions.
Comments:
P.6 Web Site Compliance
Objective:
An organization with Internet-facing website(s) that provides access to scoped data should have a website privacy policy developed, published and communicated to
all users who have access to scoped data from that website.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Obtain from the organization documentation for website setup and security. Using the sampling
parameters in the introduction to the Privacy section, select a sample of Internet-facing, publicly-
accessible, end-user websites where scoped data is accessible from an inventory of target
systems. For each item, access each selected website via a web browser.
Inspect the sample item upon access for evidence that a link to the privacy policy exists
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 13 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
Report the number of websites sampled
Report the sites that do not provide a link to the privacy policy and the number of websites that do not
have a privacy statement
Comments:
P.7 Management of Client-Scoped Privacy Data
Objective:
An organization should ensure that collection, storage, use, access, sharing, transport, retention and deletion of client-scoped privacy data is in accordance with
privacy applicable law, privacy policy, privacy notices and industry standard practices and is represented in their documented procedures and that these procedures
are maintained.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Using the sample from the third party list obtained in P.1 Privacy Program Management obtain
from the organization and the selected third parties, via the organization, a copy of the current
approved privacy procedures.
Using the privacy policy and privacy notices and procedures obtained from organization in P.2 Privacy
Notice, Choice and Consent, inspect the written privacy procedures for evidence the following attributes:
Procedures for delivery collection, storage, use, access and sharing of privacy notices, consents and
permissions
Procedures for collection, storage, use, access, sharing, transport, retention and deletion of client-scoped
privacy data
Procedures that define client-scoped privacy data is only collected, stored and used for the purposes for
which it was collected
Access to client-scoped privacy data by organization employees, third parties and any other individuals is
on a need-to-know basis only
If applicable, the conduct of background, criminal, health or various types of screening of individuals who
have access to client-scoped privacy data (including credit, drug, medical or psychological tests)
Procedures to mask, anonymize or de-personalize client scoped data 7. Procedures that define
organization employees and third party employee obligations to take special care and safeguard
protected, client-scoped privacy data at a higher level based on privacy jurisdiction
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 15 of 19
P.8 Data Protection, Privacy Incident Notification and Response Management
Objective:
An organization should establish a formal privacy incident communication procedure, integrated with the security incident response and escalation procedures, to be
executed in the event of unauthorized disclosure or breach or other required privacy communication requirement to data subjects or other entities, including applicable
law enforcement and governmental agencies. An organization should establish procedures for notification by third parties that access, process or store client-scoped
privacy data. These procedures should include the documentation of a post-incident report which documents the unauthorized disclosure, breach, lessons learned and
a summary of events related to the incident.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Obtain from the organization its privacy incident response plan, and inspect the plan for evidence
of the following attributes:
Process for assessing the data subject category or data classification based on applicable privacy law
Inspect the privacy incident notification section of the organization’s privacy incident response plan for
evidence of the following attributes:
Incident notification communication plan and samples
Escalation procedures
Law enforcement, industry (such as card brands, in the case of credit card loss) and regulatory agencies
(such as federal, state, data privacy authorities, etc.) to contact
Third party breach procedures
Roles and responsibilities are documented
Obtain from the organization a sample of the last incident response report or evidence of privacy
incident response logging/reporting, and inspect the sample report for evidence of the incident
being summarized and lessons learned identified and documented.
Using the sampling parameters in Section Y, select a sample of third parties from the list obtained in
Privacy Program Management, Obtain from the organization and the selected third parties, via the
organization, the privacy and security event communication procedures. For each item in the sample,
inspect the document(s) obtained above for evidence of the following attributes:
Privacy communications team, security incident response procedure and escalation procedures, in each
case, with defined roles and responsibilities
Procedures for notifying and supporting subsequent follow up for data subjects, third parties, service
provider, organizations or government regulatory bodies, the media; in each case, in accordance with an
applicable agreement, privacy law or security law
Requirement to meet appropriate deadlines required by privacy applicable law or security applicable law
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 16 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
The third party’s privacy and security event communications procedures contain the requirements
specified in the service provider’s privacy and security event communications procedures
Procedures for handling privacy-related complaints, including notification or escalation to client
Comments:
P.9 Third Party Privacy Agreements
Objective:
All entities that access, process or store client-scoped privacy data can be a risk to an organization or its clients. Management should ensure that all agreements with
third parties contain specific clauses to ensure scoped privacy data is protected and that certain other privacy requirements are included.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Using the sample of third parties from the list obtained in P.1 Privacy Program Management obtain
from the organization and selected third parties, via the organization, the privacy and security
portions of the agreement with the organization in place for providing services and a
representative sample of third party privacy and security sections of the agreements from each
third party.
Inspect each agreement chosen in the sample for evidence of the following attributes:
Third party requirement to protect all scoped privacy data and protected scoped privacy data
Third party requirement to document the flow of scoped privacy data within its organization and to those
third parties with whom it shares scoped privacy data
Third party requirement to process scoped privacy data in accordance with the agreement
Third party requirement to collect only the minimum scoped privacy data necessary to achieve the
purposes for which it is collected
Third party requirement to collect scoped privacy data by legal means only
Third party requirement to implement policies, procedures and safeguards consistent with the agreement’s
specified privacy requirements, applicable privacy law, policy and industry best practices when managing
scoped privacy data
Third party requirement to notify organization of potential event affecting scoped privacy data
Third party requirement to notify organization if a data subject requests access, correction or deletion of
his/her scoped privacy data, or asks a question or makes a complaint
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 17 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
Third party requirement to comply with applicable privacy law, including countries with privacy laws that
transcend the borders of their country or region (e.g., EU/EEA, by entering into the model clauses for
international data transfers, Canadian, China, AR, AU, NZ, HK, JP and other onward transfer
requirements for privacy of scoped privacy data, such as APEC or various seal programs)
Retain or delete scoped privacy data according to a schedule
Retain scoped privacy data within certain country/region boundaries
Protect organization employee-scoped privacy data
Contractually pass on “at least as stringent” privacy obligations under this agreement to any third parties
that access or handle in any way the scoped privacy data and all further levels/chains of third parties
Prohibition on the sale of scoped privacy data, where required
For the organization, and each third party in the sample chosen, report the attributes listed above that are
not present
Comments:
P.10 Authorizations, Monitoring & Enforcement
Objective:
An organization and its third parties that access, process or store client-scoped privacy data should have completed the applicable notifications, registrations, permits,
approvals and/or adequacy derogations as required by applicable privacy law and have implemented enforcement and monitoring procedures that address privacy
incidents, complaints or disputes based on its privacy obligations.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Obtain from the organization the legal authorizations for privacy-related data collected and stored
by the company.
Obtain artifacts of records of legal authorizations and any related documentation required under applicable
privacy law and their privacy inventory flow. This includes registrations and permits from authorities in
each jurisdiction receiving scoped privacy data identified in the privacy inventory flow, required by
applicable privacy law, privacy notices for each applicable jurisdiction and the adequacy of mechanisms,
such as individual consents, Privacy Shield filings, model contracts, binding corporate rules, and/or other
derogations. This may also include due diligence of the privacy function, compliance and enforcement
events, external security program audits, change management procedures, remediation plans and
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 19 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
Outstanding remedial steps for any disputes or legal authorizations not granted by any data protection
authority or any other entity that regulates scoped privacy data
For each item in the sample, report the organization and third parties with access to scoped privacy data
who do not have documentation of the approvals required by the data protection authorities and mandated
reviews required under applicable privacy laws.
For each item in the sample, report records of outstanding requests from data protection authorities or any
other entity that regulates scoped privacy data and records from outstanding remedial steps for any
disputes or legal authorizations not granted by any data protection authority or any other entity that
regulates scoped privacy data
Comments:
The Shared Assessments Program has been setting the standard in third party risk assessments since 2005. Shared Assessments, the trusted source in third party risk assurance, is a member-driven, industry-standard body with tools and best practices, that injects speed, consistency, efficiency and cost savings into the control assessment process. Shared Assessments Program members work together to build and disseminate best practices, building resources that give all third party risk management stakeholders a faster, more rigorous, more efficient and less costly means of conducting security, privacy and business resiliency control assessments.
![[GDPR Webinar Slides] Path to GDPR Compliance](https://static.documents.pub/doc/80x56/586fe3d11a28ab18428b80f7/gdpr-webinar-slides-path-to-gdpr-compliance.jpg)
